Ekr editorial 17 3 #2164
Ekr editorial 17 3 #2164
Conversation
| @@ -1616,7 +1619,8 @@ Token field of its Initial packet. | |||
| A token allows a server to correlate activity between the connection where the | |||
| token was issued and any connection where it is used. Clients that want to | |||
| break continuity of identity with a server MAY discard tokens provided using the | |||
| NEW_TOKEN frame. Tokens obtained in Retry packets MUST NOT be discarded. | |||
| NEW_TOKEN frame. Tokens obtained in Retry packets MUST NOT be discarded | |||
| during connection establishment (they will not be used with new connections). | |||
|
|
|||
There was a problem hiding this comment.
How about a positive: A token obtained in a Retry packet must be used immediately during the connection attempt and cannot be used in subsequent connection attempts.
There was a problem hiding this comment.
What @mikkelfj said.
The parenthetical doesn't really make sense to me - it's true, but I don't see how it is connected to the primary statement.
| Path validation tests that packets (PATH_CHALLENGE) can be both sent | ||
| to and received (PATH_RESPONSE) from a peer on the path. Importantly, | ||
| it validates that the packets received from the migrating endpoint do | ||
| not carry a spoofed source address. | ||
|
|
There was a problem hiding this comment.
But that isn't exactly true since MITM can spoof the source address of these packets if it can guess the packet content (as you pointed out).
There was a problem hiding this comment.
Sure.. I didn't change this text, I just added the parentheticals to make it clearer. This PR is essentially editorial
draft-ietf-quic-transport.md
Outdated
| A new address is considered valid when A PATH_RESPONSE frame is received | ||
| that meets the following criteria: | ||
|
|
||
| - It contains that was sent in a previous PATH_CHALLENGE. Receipt of an |
There was a problem hiding this comment.
| - It contains that was sent in a previous PATH_CHALLENGE. Receipt of an | |
| - It contains the data that was sent in a previous PATH_CHALLENGE. Receipt of an |
draft-ietf-quic-transport.md
Outdated
| corresponding PATH_CHALLENGE was sent. If a PATH_RESPONSE frame is | ||
| received from a different remote address than the one to which the | ||
| PATH_CHALLENGE was sent, path validation is considered to have failed, | ||
| even if the data matches that sent in the PATH_CHALLENGE. |
There was a problem hiding this comment.
| even if the data matches that sent in the PATH_CHALLENGE. | |
| even if the PATH_RESPONSE data matches the PATH_CHALLENGE data. |
draft-ietf-quic-transport.md
Outdated
| successful, even if the data matches the PATH_CHALLENGE. This doesn't result in | ||
| path validation failure, as it might be a result of a forwarded packet (see | ||
| {{off-path-forward}}) or misrouting. | ||
| Note that receipt on a different local address doesn't result in path |
There was a problem hiding this comment.
| Note that receipt on a different local address doesn't result in path | |
| Note that receipt on a different local address does not result in path |
There was a problem hiding this comment.
@janaiyengar insists on avoiding contractions.
draft-ietf-quic-transport.md
Outdated
| A stateless reset will be interpreted by a recipient as a packet with | ||
| a short header. For the packet to appear as valid, the Random Bits | ||
| field needs to include at least 182 bits of data (or 24 bytes, less | ||
| the two fixed bits). This is intended to allow for a destination |
There was a problem hiding this comment.
| the two fixed bits). This is intended to allow for a destination | |
| the two fixed bits). This is intended to allow for a Destination |
draft-ietf-quic-transport.md
Outdated
| a short header. For the packet to appear as valid, the Random Bits | ||
| field needs to include at least 182 bits of data (or 24 bytes, less | ||
| the two fixed bits). This is intended to allow for a destination | ||
| connection ID of the maximum length permitted, with a minimal packet |
There was a problem hiding this comment.
| connection ID of the maximum length permitted, with a minimal packet | |
| Connection ID of the maximum length permitted, with a minimal packet |
There was a problem hiding this comment.
I'll let MT weigh in on this. This is existing text.
There was a problem hiding this comment.
Our convention is that the term "connection ID" is not capitalized, but the fields named "Connection ID" are.
There was a problem hiding this comment.
This is a field, so the capitalization is correct.
Co-Authored-By: ekr <ekr@rtfm.com>
Co-Authored-By: ekr <ekr@rtfm.com>
| on the path. Importantly, it validates that the packets received from the | ||
| migrating endpoint do not carry a spoofed source address. | ||
| Path validation tests that packets (PATH_CHALLENGE) can be both sent | ||
| to and received (PATH_RESPONSE) from a peer on the path. Importantly, |
There was a problem hiding this comment.
These are not packets, and the position of the parenthetical phrase is inconsistent between the two options.
There was a problem hiding this comment.
I agree, this likely confuses things more than it helps.
draft-ietf-quic-transport.md
Outdated
| @@ -2294,7 +2301,7 @@ coalesced (see {{packet-coalesce}}) to facilitate retransmission. | |||
|
|
|||
| ## Stateless Reset {#stateless-reset} | |||
|
|
|||
| A stateless reset is provided as an option of last resort for an endpoint that | |||
| A stateless reset is provided as an option of last resort for a server that | |||
There was a problem hiding this comment.
No, SR is bilateral, even if we expect servers to use them more frequently.
There was a problem hiding this comment.
"A client MUST NOT include an original connection ID, a stateless reset token, or
a preferred address. A server MUST treat receipt of any of these transport
parameters as a connection error of type TRANSPORT_PARAMETER_ERROR."
It does appear that a client can send one in NCID, but that's a real inconsistency.
There was a problem hiding this comment.
- OCID is only applicable to servers because it's about Retry
- Preferred Address is only applicable to servers and contains an SRT
- SRT is useless if it's ever exchanged in the clear, which the client's TPs are
After the initial CID, the client can provide an SRT and the behavior is bilateral. There was a discussion about enabling the client to supply an SRT for the initial CID after the handshake, but there wasn't great appetite for the added complexity. If the server cares about getting an SRT, it just starts using the next CID as soon as it gets one.
There was a problem hiding this comment.
It'd all be a lot simpler if we just went with client and server :-)
| have negotiated a packet protection scheme with a larger minimum AEAD expansion. | ||
| A stateless reset will be interpreted by a recipient as a packet with | ||
| a short header. For the packet to appear as valid, the Random Bits | ||
| field needs to include at least 182 bits of data (or 24 bytes, less |
There was a problem hiding this comment.
I appreciate that you're removing the suggestion that these should be "random" despite the name of the field. However, it seems worthwhile to keep "unpredictable" at least.
There was a problem hiding this comment.
The previous graf dicates the contents. This graf is about how the recipient will interpret them, and the recipient has no good way of knowing if they are random or unpredictable or whatever.
draft-ietf-quic-transport.md
Outdated
| The design of a Stateless Reset is such that without knowing the | ||
| stateless reset token it is indistinguishable from a valid packet. | ||
| This means that if a server sends a Stateless Reset to another server, | ||
| that might trigger the sending of a Stateless Reset in response, which |
There was a problem hiding this comment.
Can we get rid of one of these "that"s?
There was a problem hiding this comment.
"This means that if a server sends a Stateless Reset to another server, it might receive another Stateless Reset in response. As a result...."
There was a problem hiding this comment.
One fewer: "If a server sends a Stateless Reset to another server, it might receive another Stateless Reset in response."
draft-ietf-quic-transport.md
Outdated
| The first Handshake packet sent by a server contains a packet number of 0. | ||
| Handshake packets are their own packet number space. Packet numbers are | ||
| incremented normally for other Handshake packets. | ||
|
|
There was a problem hiding this comment.
Extra line seems unnecessary here.
| incremented normally for other Handshake packets. | ||
|
|
||
| Handshake packets are their own packet number space, and thus | ||
| the first Handshake packet sent by a server contains a packet number of 0. |
There was a problem hiding this comment.
Is this a requirement? Last I knew, some implementations were choosing to just keep a counter incrementing across all packet spaces, and that was okay. The key point is that (Initial,X) and (Handshake,X) are different packets, but IIRC there's no requirement that each space start at zero.
There was a problem hiding this comment.
" The CRYPTO frame can be sent in different packet number spaces. The
sequence numbers used by CRYPTO frames to ensure ordered delivery of
cryptographic handshake data start from zero in each packet number
space.
"
There was a problem hiding this comment.
That's the offset of the CRYPTO stream, not the packet numbers.
There was a problem hiding this comment.
My mistake. Here:
https://tools.ietf.org/html/draft-ietf-quic-transport-16#section-12.3
" This enforces cryptographic separation between the data sent in the
different packet sequence number spaces. Each packet number space
starts at packet number 0. Subsequent packets sent in the same
packet number space MUST increase the packet number by at least one."
There was a problem hiding this comment.
I think that we're operating on the assumption that you start sending from 0, but there is no strict requirement because it's unenforceable. Loss.
| that the original_connection_id transport parameter is present and | ||
| correct; otherwise, it validates that the transport parameter is | ||
| absent. A client MUST treat a failed validation as a connection error | ||
| of type TRANSPORT_PARAMETER_ERROR. |
There was a problem hiding this comment.
Adding the MUST to the validate-is-present fork seems unnecessary, but if you're going to, isn't it also a MUST to validate-is-absent?
There was a problem hiding this comment.
yes I agree. What I'm trying to do is remove language which is apparently descriptive but is actually normative. I.e., "the agent does X". That's a requirement
There was a problem hiding this comment.
Then "otherwise, it MUST validate that...."
There was a problem hiding this comment.
I'm OK with the existing or as Mike suggests.
There was a problem hiding this comment.
Hah, yes. Suggested above.
| @@ -1616,7 +1619,8 @@ Token field of its Initial packet. | |||
| A token allows a server to correlate activity between the connection where the | |||
| token was issued and any connection where it is used. Clients that want to | |||
| break continuity of identity with a server MAY discard tokens provided using the | |||
| NEW_TOKEN frame. Tokens obtained in Retry packets MUST NOT be discarded. | |||
| NEW_TOKEN frame. Tokens obtained in Retry packets MUST NOT be discarded | |||
| during connection establishment (they will not be used with new connections). | |||
|
|
|||
There was a problem hiding this comment.
What @mikkelfj said.
The parenthetical doesn't really make sense to me - it's true, but I don't see how it is connected to the primary statement.
| on the path. Importantly, it validates that the packets received from the | ||
| migrating endpoint do not carry a spoofed source address. | ||
| Path validation tests that packets (PATH_CHALLENGE) can be both sent | ||
| to and received (PATH_RESPONSE) from a peer on the path. Importantly, |
There was a problem hiding this comment.
I agree, this likely confuses things more than it helps.
draft-ietf-quic-transport.md
Outdated
| successful, even if the data matches the PATH_CHALLENGE. This doesn't result in | ||
| path validation failure, as it might be a result of a forwarded packet (see | ||
| {{off-path-forward}}) or misrouting. | ||
| Note that receipt on a different local address doesn't result in path |
There was a problem hiding this comment.
@janaiyengar insists on avoiding contractions.
| the number of packets it sends to this new address until the address | ||
| is validated (see {{migrate-validate}}). A server in the closing state | ||
| MAY instead choose to discard packets received from a new source | ||
| address. |
There was a problem hiding this comment.
The change to the fill-column is making this harder to review than I'd like. I guess that's just a consequence of insisting on wrapping at <80...
There was a problem hiding this comment.
I tried rewrapping it for him, but that makes all the comments outdated, unfortunately. I think this will need a rewrap just before merge instead, unfortunately.
draft-ietf-quic-transport.md
Outdated
| @@ -2294,7 +2301,7 @@ coalesced (see {{packet-coalesce}}) to facilitate retransmission. | |||
|
|
|||
| ## Stateless Reset {#stateless-reset} | |||
|
|
|||
| A stateless reset is provided as an option of last resort for an endpoint that | |||
| A stateless reset is provided as an option of last resort for a server that | |||
draft-ietf-quic-transport.md
Outdated
| The design of a Stateless Reset is such that without knowing the | ||
| stateless reset token it is indistinguishable from a valid packet. | ||
| This means that if a server sends a Stateless Reset to another server, | ||
| that might trigger the sending of a Stateless Reset in response, which |
There was a problem hiding this comment.
One fewer: "If a server sends a Stateless Reset to another server, it might receive another Stateless Reset in response."
draft-ietf-quic-transport.md
Outdated
| The first Handshake packet sent by a server contains a packet number of 0. | ||
| Handshake packets are their own packet number space. Packet numbers are | ||
| incremented normally for other Handshake packets. | ||
|
|
| incremented normally for other Handshake packets. | ||
|
|
||
| Handshake packets are their own packet number space, and thus | ||
| the first Handshake packet sent by a server contains a packet number of 0. |
There was a problem hiding this comment.
I think that we're operating on the assumption that you start sending from 0, but there is no strict requirement because it's unenforceable. Loss.
| that the original_connection_id transport parameter is present and | ||
| correct; otherwise, it validates that the transport parameter is | ||
| absent. A client MUST treat a failed validation as a connection error | ||
| of type TRANSPORT_PARAMETER_ERROR. |
There was a problem hiding this comment.
I'm OK with the existing or as Mike suggests.
draft-ietf-quic-transport.md
Outdated
| @@ -5326,7 +5338,7 @@ An accompanying transport parameter registration (see | |||
| specification needs to describe the format and assigned semantics of any fields | |||
| in the frame. | |||
|
|
|||
| Expert(s) are encouraged to be biased towards approving registrations unless | |||
| Expert(s) SHOULD be biased towards approving registrations unless | |||
There was a problem hiding this comment.
Not really an interoperability requirement.
| Expert(s) SHOULD be biased towards approving registrations unless | |
| Expert(s) are encouraged to be biased towards approving registrations unless |
MikeBishop
force-pushed
the
ekr_editorial_17_3
branch
from
5f6331f
to
cc14d24
Compare
draft-ietf-quic-transport.md
Outdated
| validation as a connection error of type TRANSPORT_PARAMETER_ERROR. | ||
| If the client received and processed a Retry packet, it MUST validate | ||
| that the original_connection_id transport parameter is present and | ||
| correct; otherwise, it validates that the transport parameter is |
There was a problem hiding this comment.
| correct; otherwise, it validates that the transport parameter is | |
| correct; otherwise, it MUST validate that the transport parameter is |
draft-ietf-quic-transport.md
Outdated
| containing data that was sent in a previous PATH_CHALLENGE. Receipt of an | ||
| acknowledgment for a packet containing a PATH_CHALLENGE frame is not adequate | ||
| validation, since the acknowledgment can be spoofed by a malicious peer. | ||
| A new address is considered valid when A PATH_RESPONSE frame is received |
There was a problem hiding this comment.
| A new address is considered valid when A PATH_RESPONSE frame is received | |
| A new address is considered valid when a PATH_RESPONSE frame is received |
draft-ietf-quic-transport.md
Outdated
| sent. If a PATH_RESPONSE frame is received from a different remote address than | ||
| the one to which the PATH_CHALLENGE was sent, path validation is considered to | ||
| have failed, even if the data matches that sent in the PATH_CHALLENGE. | ||
| - It is from the same remote address as that to which the |
There was a problem hiding this comment.
| - It is from the same remote address as that to which the | |
| - It is sent from the same remote address to which the |
|
Merged manually. |
No description provided.